5.1. Podpora LDAP

A feature in the cryptography libraries used in the LDAP
libraries causes programs that use LDAP and attempt to
change their effective privileges to fail when connecting to an
LDAP server using TLS or
SSL. This can cause problems for setuid programs on
systems using libnss-ldap like
sudo, su or schroot
and for setuid programs that perform LDAP searches like sudo-ldap.

It is recommended to replace the libnss-ldap package with libnss-ldapd, a newer library which uses a
separate daemon (nslcd) for all LDAP
lookups. The replacement for libpam-ldap is libpam-ldapd.

5.2. Bezpečnostný status webových prehliadačov

Debian 7.0 includes several browser engines which are affected by a
steady stream of security vulnerabilities. The high rate of vulnerabilities
and partial lack of upstream support in the form of long term branches make
it very difficult to support these browsers with backported security fixes.
Additionally, library interdependencies make it impossible to update to
newer upstream releases. Therefore, browsers built upon the webkit, qtwebkit
and khtml engines are included in Wheezy, but not covered by security
support. These browsers should not be used against untrusted websites.

Xulrunner has had a history of good backportability for older releases over
the previous release cycles. Chromium - while built upon the Webkit codebase
- is a leaf package, which will be kept up-to-date by rebuilding the current
Chromium releases for stable.

5.3. ConsoleKit and alternative display managers

ConsoleKit in Debian 7.0 does not consider sessions started using
startx or display managers lacking consolekit integration (e.g. xdm or slim) as local, which might prevent access to
some devices.

We recommend using one of gdm3,
kdm or lightdm instead.

5.4. Zmeny a podpora pracovného prostredia GNOME

By default, some accessibility tools are not enabled in the GNOME display
manager (gdm3). The simplest way to
enable zooming or a visual keyboard is to activate the “shell”
greeter.

To do that, edit the /etc/gdm3/greeter.gsettings file,
and uncomment the following:

session-name='gdm-shell'

while commenting

session-name='gdm-fallback'

Note that it requires a compatible 3D graphics card — which is the reason
why it is not enabled by default.

5.5. KDE desktop changes

The knetworkmanager package has been
deprecated, and replaced by plasma-widget-networkmanagement in the new KDE
Plasma Workspace.

If you are using the deprecated knetworkmanager
standalone application, you should be prepared to do some manual
configuration after the upgrade. You might need to manually add
plasma-widget-networkmanagement to your panel or desktop.

Also, if the network connection shouldn't depend on having a network-manager
widget running, you might want to set it as a “system
connection”.

5.6. NetworkManager

NetworkManager can detect if a network interface is
managed by ifupdown in order to avoid conflicts, but is
not able to do so with other network management programs such as
wicd-daemon. Problems and unexpected behavior can result
if two such daemons are managing the same interface when attempting to make
a network connection.

For instance, if wicd-daemon and
NetworkManager are both running, attempting to use a
wicd client to make a connection will fail with the error
message:

Connection Failed: bad password

Attempting to use a NetworkManager client may likewise
fail with the message:

NetworkManager is not running. Please start it.

It is recommended that users of GNOME consider installing and trying
NetworkManager, but the NetworkManager
daemon may be permanently disabled if desired using the following command:

# update-rc.d network-manager disable

After disabling the daemon, it is recommended to examine the contents of
/etc/resolv.conf. This file is used to specify DNS
servers for name resolution and the contents of this file may have been
replaced by NetworkManager.

5.7. perl-suid bol odstránený

suidperl was removed upstream with 5.12, so the
perl-suid package which used to be
distributed in Debian has been removed too. Possible alternatives include
using a simple setuid C wrapper to execute a Perl script from a hard-coded
location, or using a more general tool like sudo.

The same advice applies if you have request-tracker3.6 or older packages from
previous Debian releases still in use; if this is the case it is recommended
to upgrade step by step, following the appropriate upgrade documents.

5.10. /etc/mtab and _netdev

The file /etc/mtab, used to store the list of currently
mounted filesystems, has been changed to be a symbolic link to
/proc/mounts. For almost every case, this change will
result in a more robust system since the list can never become inconsistent
with reality. However, if you use the _netdev option in
/etc/fstab to indicate that a filesystem is a network
filesystem requiring special handling, this will no longer be set in
/proc/mounts after rebooting. This will
not cause problems for standard network filesystems
such as NFS, which do not rely on the
_netdev option. Filesystems which are
unaffected by this issue are ceph,
cifs, coda, gfs,
ncp, ncpfs, nfs,
nfs4, ocfs2 and
smbfs. For filesystems which do
rely on _netdev for correct unmounting at shutdown, for
example when using an NBD, a static mtab will be the only
way to use _netdev in wheezy. If you have such a setup,
then after completing the upgrade to wheezy restore a static
/etc/mtab by doing the following:

Edit /etc/init.d/checkroot.sh, and comment out these
lines:

if [ "$rootmode" != "ro" ]; then
mtab_migrate
fi

If you have rebooted the system, and /etc/mtab is now a
symbolic link:

# rm /etc/mtab
# cp /proc/mounts /etc/mtab

Re-add the _netdev option by remounting the affected
filesystems:

# mount -o remount filesystem

/etc/mtab will be recreated fully next time you reboot
the system.

5.11. The pdksh to mksh transition

The Public Domain Korn Shell (pdksh)
package is being retired for the release after wheezy, since
pdksh is no longer maintained (it has not been actively
developed since 1999).

The MirBSD Korn Shell (mksh)
package contains its successor; it has evolved from the Public Domain Korn
Shell and has been kept up to date with the POSIX standard on the shell. In
Debian wheezy, pdksh is a
transitional package using lksh, a variant of mksh built with special compatibility options to
provide a pdksh binary symlink. This compatibility
binary behaves more like the traditional Public Domain Korn Shell than the
current mksh. However as it contains behavior-changing
bugfixes it is not a pure drop-in replacement. So, you're advised to change
your

#!/bin/pdksh

scripts to

#!/bin/mksh

and test them. If the test fails, you're advised to fix your scripts. If,
for some reason, this is not possible, you can change them to

#!/bin/lksh

scripts, and test them again. This test has more chances of succeeding
without changing a lot of your code. However, be aware at some point in the
future the transitional package will get dropped from Debian.

The compatibility binary is not suitable for interactive use, so as system
administrator, adjust the login shell of your Korn Shell users. For minimal
service interruption, do this before the upgrade of the O.S.: manually
install the mksh package and change
the login and/or interactive shells of users that use
pdksh to mksh. Furthermore, you're
encouraged to copy /etc/skel/.mkshrc into their home
directories: this provides some shell functions like
pushd, popd and
dirs and a nice

PS1

(shell prompt).

5.12. Puppet 2.6 / 2.7 compatibility

When upgrading a Puppet managed system from squeeze to wheezy, you must
ensure that the corresponding puppetmaster runs at least Puppet version
2.7. If the master is running squeeze's puppetmaster, the managed wheezy system will not
be able to connect to it.

Such a combination will lead to the following error message during a
puppet agent run:

Could not retrieve catalog from remote server: Error 400 on SERVER: No support for http method POST

In order to resolve this issue the puppetmaster must be upgraded. A 2.7
master is able to manage a 2.6 client system.

5.13. Multiarch implications for the toolchain

The introduction of multiarch (as described in Oddiel 2.3.2, “Multiarch”)
changes the paths for some files, which may break assumptions made by
toolchain components. Debian's toolchain has been updated, but users
trying to build or use external compilers might need to be aware of this.

Some hints to work around these issues can be found in
/usr/share/doc/libc6/NEWS.Debian.gz and in bugreport
#637232.

5.14. Cyrus SASL SQL backends

Configuration of SQL engine backends for Cyrus SASL, as provided in the
libsasl2-modules-sql package, has
changed from database specific configuration (e.g.
mysql) to the generic sql auxprop
plugin.

Configuration files for applications using SASL have to be updated, for
example:

auxprop_plugin: mysql

should be replaced by:

auxprop_plugin: sql
sql_engine: mysql

In addition, the SQL query (if used) needs to have %u
replaced with %u@%r, because user and realm are now
provided separately.

5.15. Firmware for network and graphics drivers

Some hardware drivers, including drivers for (wired or wireless) network
cards, as well as the driver for ATI/AMD graphics chipsets, require loadable
firmware in order to operate properly.

That firmware is often not free software, and as such only available from
the non-free archive, in the firmware-linux and other
packages.